Software Development best practices: A practical Security & Compliance checklist
In the last 2 years only, I successfully own/lead 4+ software product deliveries, mostly for the US health sector running in AWS. I also help to compile security & compliance reports. Software products in the US health sector, especially when Protected Health Information (PHI) is present, is frequently reviewed against security & compliance standards like HIPAA/HITRUST, but, practically speaking, I find it hard to have all developers be fully aware of 100+ pdf documents and other security & compliance best practices so I decided to create a simple “Security & Compliance checklist” that prove to be more effective.
Security & Compliance checklist — AWS
✅ Independent AWS accounts for prod & non-prod environments (highest level of resource isolation). In AWS words, “You can use multiple AWS accounts to isolate workloads or applications that have specific security requirements, or need to meet strict guidelines for compliance such as HIPAA or PCI.” “AWS Control Tower provides the easiest way to set up and govern a secure, multi-account AWS environment based on best practices established.” In the words of one of my customers, it is like compliance in a box that includes (but not limited to):
- Preventive and Detective non-secure/compliant checks: “Preventive & Detective Guardrails“ as well “Mandatory & Optional Guardrails“ out of the box based on AWS best practices and common customer policies for governance such as “disallow public write access to Amazon Simple Storage Service (Amazon S3) buckets” or “enable encryption for Amazon Elastic Block Store (Amazon EBS) volumes attached to Amazon Elastic Compute Cloud (Amazon EC2) instances. “
- Monitoring: Dashboard with production account level status for compliance
- Audit & Logging: “Logging of actions and events in AWS Control Tower is accomplished automatically through its integration with CloudWatch. All actions are logged, including actions from the AWS Control Tower management account and your organization’s member accounts. Management account actions and events are viewable on the Activities page in the console. Member account actions and events are viewable in log archive files.”
Security & Compliance checklist — Health sector-specific (HIPAA/HITRUST requirements)
✅ only AWS HIPAA Eligible Services are used;
✅ application audit trails and logging. More specifically:
- The actions of every clinician on patient data are stored in audit tables. It is always possible to know who created, updated, viewed, or deleted a piece of patient data;
- For the most sensitive tables, the platform maintains a full time-stamped history of previous values, which allow rolling back individual pieces of data to a previous state;
Usually, you can easily accomplish this by using a library/framework. For example, in an Asp.net core app, I used Entity Framework Plus Audit
Security & Compliance checklist — The usual stuff
✅ data encryption at rest (database encryption, etc.)
✅ data encrypted in transit (HTTPS)
✅ always have an up-to-date list of open source libraries being used. For example, you can have a link to your package.json or .csproj file
✅ code is regularly checked against OWASP Top Ten security vulnerabilities. For .Net, I like to look at DotNet Security Cheat Sheet as well
✅ the infrastructure is provisioned using code (aka IaC) and covered by unit tests that run as part of the build. Some example of those unit tests may include checks like ensure that the production database is placed in an isolated network (no public available) or an AWS S3 bucket is set with encryption (encryption at rest)
✅ use Static Code Analysis tools. Use tools that not just check your code but your dependencies as well. Preferably, have them set up as part of your pipeline. I had a great experience with SonarQube and Black Duck, but there are more good tools out there for sure. At least, if you are using GitHub, you have no excuse not to enable automatic security checks from now on;
Security & Compliance checklist —Company level
✅ 2FA enabled. For example, on a customer GitHub account, I set 2FA as mandatory at the organization level;
✅ the customer knows all persons with access to production. No new access is granted without previous approval. Persons are automatically removed if they leave (part of the onboard/exit checklist). Basic stuff, I know, always good to have in mind;
✅ all manual changes in production are done with a 4 eyes policy, but those are rare events because everything is deployed by code 😎
✅ all code is reviewed at least by one person. In GitHub, usually enforced by code owner concept
✅ authorization rules that especially goes into sensitive data like Protected Health Information (PHI) are covered by tests
To sum up:
Security and compliance risk is an ongoing concern for all organizations, so you should look at this list as a starting point and not at a complete or even extensive one. For example, AWS security offering involves a lot of services that I didn’t mention. I didn’t mention it because some of them are already being used as part of the AWS Control Tower setup or simply because I wasn’t using them when I wrote this. That being said, everything is a matter of time and priority, so I prefer to center my attention on automation. An IBM study that a large percentage of all data breaches are caused by human error, so I prefer to spend my time setting up automatic code & dependencies scanning as part of the CI/CD pipeline or having infrastructure covered by unit tests that runs automatically as well.
Lastly, I frequently use this list to:
👉 raise security and compliance awareness at the organization level. For example, I usually make those lists as part of a project/product/company onboarding checklist. Checklist proved to be effective when I was helping 6+ teams (20+ persons) as a Lead Solutions Architect / Security Champion at Basecone;
👉 help me on compiling security and compliance reports for security and compliance audits;
👉 help me with customer discussions. For example, I use this for a starting point of a roadmap discussion;
I’m sure you have many things to add, so why not drop me a message in the comment box so I can improve this list? It may even become a GitHub repo where everyone is w3lc0me to contribute. 😎
